Re: Database Scanners

From: Jay Beale (jay@bastille-linux.org)
Date: Fri Aug 13 2004 - 12:32:44 EDT


The first part of the question seems to be whether there should be a
separate security administrator at all -- I think there definitely
should be. Having a primary focus on security allows an individual to
both build up and practice not only the requisite skills, but also the
right attitude, one that forces you to constantly consider how you would
  break into your site and thus what remediation steps should be taken.
  Honestly, a huge part of what we do as security people is just
exercising this attitude. Having a separate security administrator not
only allows some part of your organization to think in this way, but
also gives you someone to serve as a kind of "security conscience," a
voice that questions bad implementation decisions, hopefully while
they're being made.

As far as what department the Security Administrator should work for,
the jury is still out. Many people favor a separate security team that
doesn't share space or resources with the normal IT department. This
has always seemed ideal, but it comes at a very high cost. By not being
part of the operational IT group, sitting with those folks every day,
the security group very often loses the ability to influence the IT
folks in any way but fiat. And fiat is a difficult way to do security...

  - Jay

Frank Boldewin wrote:
> hi peter,
>
> in my opinion the auditor (revision or tiger team) of the company,
> because it's a bad idea to let the department check there own environment.
> i think that dual control makes a better security and assures that the scans
> are really done at regular intervals.
>
> greetings,
> frank
>
>
> ----- Original Message -----
> From: "PETER INEH" <PINEH@mbc-nig.com>
> To: "Jay Beale" <jay@bastille-linux.org>; "Frank Boldewin"
> <frank.boldewin@gmx.de>; <pen-test@securityfocus.com>
> Sent: Friday, August 13, 2004 11:25 AM
> Subject: Re: Database Scanners
>
>
>
>>Greetings,
>>
>>Can anyone confirm to me which department should handle the duties of the
>>Security Adminstrator. Is it IT department or the IT Auditor?
>>
>>Thanks.
>>
>>
>>
>>Peter Ineh
>>Inspection Department
>>MBC International Bank Limited
>>
>>
>>-----Original Message-----
>>From: Jay Beale <jay@bastille-linux.org>
>>To: Frank Boldewin <frank.boldewin@gmx.de>
>>Cc: pen-test@securityfocus.com
>>Date: Thu, 17 Jun 2004 23:12:33 -0700
>>Subject: Re: Database Scanners
>>
>>
>>>I'm pretty impressed by MetaCortex.
>>>
>>>http://www.metacoretex.com/
>>>
>>>Quoting:
>>>
>>>MetaCoretex is an entirely JAVA vulnerability scanning framework which
>>>puts special emphasis on databases. Probe objects are written in JAVA
>>>by
>>>means of an easy to extend AbstractProbe class. Additionally, probe
>>>generators make the process of writting simple probes almost automagic.
>>>
>>>Please see the Features FAQ for information on all the junk MetaCoretex
>>>can do...
>>>
>>>Also, check out the Probe List for a current listing of active probes.
>>>
>>>
>>> - Jay
>>>
>>>
>>>
>>>In the wise words of Frank Boldewin:
>>>
>>>
>>>>hi,
>>>>
>>>>the only good database scanner i know is appdetective.
>>>>
>>>>http://www.appsecinc.com/products/appdetective/
>>>>
>>>>scans several databases: oracle, db2, mssql, mysql, notes, sybase and
>>>
>>>web
>>>
>>>>apps.
>>>>
>>>>hope that helps.
>>>>
>>>>cheers,
>>>>frank
>>>>
>>>>
>>>>
>>>>
>>>>----- Original Message -----
>>>>From: <brownsec@hotmail.com>
>>>>To: <pen-test@securityfocus.com>
>>>>Sent: Wednesday, June 16, 2004 10:39 PM
>>>>Subject: Database Scanners
>>>>
>>>>
>>>>
>>>>>
>>>>>Is anyone aware of a good scanner that will work well against DB2
>>>>
>>>>databases? I know ISS has a DB-Scanner but it does not appear to be
>>>>compatible with DB2.
>>>>
>>>>>
>>>>>
>>>>>Thanks...
>>>>>
>>>>
>>



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:58 EDT